code-projects Employee Management System applyleaveprocess.php sql injection
Description
A weakness has been identified in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /process/applyleaveprocess.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Employee Management System 1.0's applyleaveprocess.php allows remote attackers to manipulate database queries via the id parameter.
Vulnerability
A SQL injection vulnerability exists in code-projects Employee Management System 1.0 in the file /process/applyleaveprocess.php. The id parameter from the GET request is directly concatenated into an SQL INSERT statement without parameterization, as shown in the source code: $sql = "INSERT INTO employee_leave(id,token, start, end, reason, status) VALUES ('$id','','$start','$end','$reason','Pending')"; [2]. Additionally, the same untrusted id value is reflected into the HTTP redirect Location header, potentially enabling response splitting or open redirect issues [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. The attack requires sending a crafted POST request to /process/applyleaveprocess.php with a malicious id parameter in the query string. The exploit is publicly available [2]. For example, a time-delay payload such as 101'and(select*from(select+sleep(5))a//union//select+1)=' can be URL-encoded and used as the id value. The server will execute the injected SQL and then redirect to eloginwel.php?id=, allowing the attacker to observe a delay confirming the injection [2].
Impact
Successful exploitation allows an attacker to manipulate database queries, potentially inserting or modifying unauthorized data depending on database permissions. Blind SQL injection techniques (e.g., time delays) can be used to infer database structure or extract information [2]. The reflection of the id parameter in the redirect header may also lead to response splitting or open redirect attacks in certain server configurations [2].
Mitigation
No official patch has been released for Employee Management System 1.0 [1]. The project appears to be unmaintained. As a workaround, developers should implement input validation and use parameterized queries (prepared statements) to prevent SQL injection. The redirect header should also sanitize user input to avoid response splitting. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.0+ 1 more
- (no CPE)range: = 1.0
- (no CPE)range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/zzzxc643/CVE1/blob/main/EMPLOYEE_MANAGEMENT_SYSTEM/vul23.mdmitreexploit
- vuldb.com/submit/813707mitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.com/vuln/365432mitrevdb-entrytechnical-description
- vuldb.com/vuln/365432/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.